Atlassian warns of critical security vulnerability

Atlassian has revealed a critical security issue in Confluence server.

An advisory (sign-in required) issued at 3:00AM Thursday, Australian time, offered the following explanation of the flaw:

“Confluence Server and Data Center had a local file disclosure vulnerability in the page export function. A remote attacker who has Add Page space permission would be able to read arbitrary files in the /confluence/WEB-INF directory, which may contain configuration files used for integrating with other services, potentially leaking credentials, such as LDAP credentials, or other sensitive information. The potential to leak LDAP credentials exists if LDAP credentials are specified in an atlassian-user.xml file, which is a deprecated method for configuring LDAP integration.”

All versions of Confluence Server and Confluence Data Center from 6.1.0 before 6.6.16 (the fixed version for 6.6.x), from 6.7.0 before 6.13.7 (the fixed version for 6.13.x), and from 6.14.0 before 6.15.8 (the fixed version for 6.15.x) are affected by this vulnerability.

Atlassian has released version 6.15.8 of Confluence Server to fix the problem, and recommends a swift upgrade. Version 6.15 Release Notes are already available and the new version can be found here.

Users of the Enterprise release of Confluence Server have a different upgrade path, to version 6.16.6 or 6.13.7.

And there’s another option for those who can’t upgrade, in the form of a workaround that uses the atlassian.confluence.export.word.max.embedded.images system property to set the maximum number of images to include in Word exports to zero. This will prevent images from being embedded in Word exports.

The advisory is just the eighth that Atlassian has issued this year. The company had just eight in all of 2018, a comparatively low number against other vendors.